For some reason it’s not straight-forward to create new credentials for an existing Service Principal account in Azure Active Directory using PowerShell.

I’m using PowerShell, because I’m not an Azure AD admin in my current organization, but as a developer, I am able to create and manage service principal accounts. This is extremely convenient, because we use them for automated deployments to Azure.

We started using Azure DevOps release management about a year ago, and thus I recently encountered the first credential expiration of a service principal that was used by Azure DevOps to deploy resources to Azure. This makes sense, because service principal credential lifetime defaults to one year.

I’ve started working with Azure DevOps (previously known as Visual Studio Team Services – VSTS, previously known as Visual Studio Online…).

I’m using it to automated Azure deployments in some projects.

In our setup we have several different environments (dev, test, prod, etc.). Depending on the project, the environments are either Azure Resource Groups or completely different Azure subscriptions. In any case, we have created service principal accounts in our Azure Active Directory, that have the necessary Contributor roles to those subscriptions or resource groups, where they should be able to deploy resources.

The service principals have been added to Azure DevOps as Service Connections, so that we have a service connection for each project and environment.

We want to use a Release Pipeline for each project. Each Pipeline has a stage per environment.

Releases are triggered using package management (in these projects we don’t use VSTS for source control and build). Instead, our build server generates NuGet packages and uploads them to Azure DevOps package management, and this triggers the release process.